Texas is set to become the tenth state to enact comprehensive privacy legislation after state lawmakers passed HB 4, the Texas Data Privacy and Security Act (TDPSA or the Act), on May 28, 2023. Unless Governor Greg Abbott vetoes the Act, it will take effect July 1, 2024.
While modeled generally on the Virginia Consumer Data Protection Act (VCDPA), the TDPSA differs in several key respects – reportedly in an effort to clarify ambiguities that have arisen under the VCDPA and similar comprehensive consumer data privacy laws in other states. Among other things, the TDPSA diverges from some of these laws in terms of its (1) applicability and scope; (2) definitions (eg, of “personal data,” “sale of personal data,” and “consent”); and (3) controller obligations (eg, data protection assessments for high-risk processing activities and opt-in consent for processing sensitive data).
The TDPSA applies to individuals and entities that (1) process or sell personal data, and (2) conduct business in Texas or produce a product or service “consumed by” Texas residents.
Unlike other states’ consumer data privacy laws, the TDPSA applies to entities that produce a product or service “consumed by” – as opposed to “targeted to” – state residents. The change was reportedly made to ensure that companies could not argue that since they did not target Texas residents (but intended simply to send information over the internet) they are not subject to the TDPSA.
Exempted entities and information
Similarly, because Texas lawmakers regarded the revenue and data processing thresholds in other state privacy laws as arbitrary and difficult to discern, the TDPSA simply exempts “small businesses,” as defined by the United States Small Business Administration (SBA). The SBA’s guidelines, they note, are clearly defined in law, tailored by industry, and do not require additional compliance costs to determine if the bill is applicable to a company. Notably, however, a small business is still required to obtain consumer consent before engaging in the sale of sensitive personal data.
The TDPSA also provides typical exemptions for various types of entities and information, including:
- State government entities
- Financial institutions and data governed by Title V of the Gramm-Leach-Bliley Act
- Entities and protected health information governed by the Health Insurance Portability and Accountability Act
- Nonprofit organizations
- Institutions of higher education
- Employee and B2B data
- Identifiable private information related to human subject research (in certain cases)
- Information governed by the Fair Credit Reporting Act
- Information governed by the Family Educational Rights and Privacy Act, and
- Certain employment-related information
It further includes exemptions for:
- Electric utilities, power generation companies, and retail electric providers and
- Health records (which include material maintained by a health care provider in the course of providing health care services to an individual that concerns the individual and the services provided)
In addition, entities that comply with the parental consent requirements of the Children’s Online Privacy Protection Act (COPPA) are also deemed to comply with the TDPSA’s parental consent requirements.
The TDPSA provides Texas residents with standard consumer rights relating to their personal data, including:
- Confirming whether a controller is processing the data
- Correcting and deleting the data
- Obtaining a portable copy of the personal data, and
- Opting out of the processing of the data for purposes of (1) targeted advertising, (2) sale, or (3) profiling “in furtherance of a decision that produces a legal or similarly significant effect”
The TDPSA defines “personal data” broadly to include “any information, including pseudonymous data and sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.” The term does not include deidentified data or publicly available information.
Similar to the California Consumer Privacy Act (CCPA), the TDPSA adopts an expansive definition of “sale of personal data” that encompasses the sharing, disclosing, or transferring of personal data “for monetary or other valuable consideration” by the controller to a third party.
“Consent” is defined narrowly to mean a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term expressly excludes:
- Hovering over, muting, pausing or closing a given piece of consent or
- Agreement obtained through the use of dark patterns
The TDPSA requires a controller to authenticate and respond to a consumer rights request within 45 days. It allows the controller to extend the response period once by an additional 45 days when reasonably necessary.
A controller must also provide information in response to a consumer request free of charge, up to twice annually per consumer.
Recognizing that most controllers have to comply with both the CCPA and VCDPA, the TDPSA seeks to reconcile the differences between the two laws by including the CCPA requirement that a controller must have two or more secure and reliable methods for consumers to submit requests. Unlike the CCPA, however, it does not require a controller to provide a toll-free telephone number.
The TDPSA further provides that that a controller must establish a process for consumers to appeal the controller’s refusal to act on a request within a reasonable time period. If the controller denies an appeal, it must provide the consumer with an online mechanism (or other method) through which to contact the Attorney General to submit a complaint.
The TDPSA requires covered entities to take the following measures:
- Limit and protect personal data – A controller must:
- Limit the collection of personal data to what is “adequate, relevant, and reasonably necessary” to achieve the processing purposes disclosed to the consumer
- Maintain reasonable “administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue”
- Obtain consent to process a consumer’s sensitive data, and
- Process the sensitive data of a known child in accordance with COPPA
- Provide a privacy notice – A controller must provide consumers a clear and accessible privacy notice that includes:
- The categories of personal data (including any sensitive data) processed by the controller
- The purpose for processing personal data
- How consumers may exercise their consumer rights (including the right to appeal)
- The categories of personal data that the controller shares with third parties
- The categories of third parties with whom the controller shares personal data
- A description of the methods through which consumers can submit requests to exercise their consumer rights, and
- A specific notice as to whether it sells sensitive data or biometric data
Additionally, a controller that sells personal data to third parties or processes personal data for targeted advertising must clearly and conspicuously disclose such processing and the manner in which a consumer may opt out.
- Conduct data protection assessments – A controller must conduct and document a data protection assessment (DPA) of each of the following activities:
- Processing personal data for targeted advertising
- Selling personal data
- Processing sensitive data
- Processing personal data for profiling, if such profiling presents a reasonably foreseeable risk to consumers of (a) unfair or deceptive treatment or unlawful disparate impact; (b) financial, physical, or reputational injury, (c) an “offensive” physical or other intrusion on solitude or private affairs; or (d) other substantial injury and
- Any processing that presents a heightened risk of harm to consumers
The DPA must further identify and weigh (1) the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against (2) the potential risks to the rights of the consumer associated with that processing (as mitigated by safeguards that can be employed by the controller to reduce the risks).
It must also factor in the use of deidentified data, the reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the consumer.
Importantly, DPAs apply only to processing activities after the effective date of the TDPSA and are not retroactive.
- Safeguard deidentified or pseudonymous data – A controller possessing deidentified data must:
- Take reasonable measures to ensure that such data cannot be associated with an individual
- Publicly commit to maintaining and using the data without attempting to reidentify it, and
- Contractually obligate any recipient of such data to comply with the TDPSA’s requirements for processors
A controller that discloses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data is subject and take appropriate steps to address any breach of the contractual commitments.
The TDPSA requires processors to take the following measures:
- Assist controllers – A processor must assist the controller in complying with the controller’s duties under the TDPSA, including by:
- Responding to consumer rights requests by using appropriate technical and organizational measures
- Ensuring the security of processing personal data and the notification of any breach of security of the processor’s system, and
- Providing necessary information to enable the controller to conduct and document data protection assessments
- Contract with controllers – The TDPSA requires a data processing agreement between a controller and a processor that includes certain clauses, such as specifying the purpose and duration of the data processing, and the rights and obligations of both parties. It must also contain requirements that the processor will:
- Ensure the confidentiality of personal data
- At the controller’s direction, delete or return all personal data (unless retention is required by law)
- Make available to the controller all information necessary to demonstrate the processor’s compliance with the TDPSA
- Cooperate with reasonable assessments by the controller or the controller’s designated assessor (or, alternatively, arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the TDPSA’s requirements using an appropriate and accepted control standard or framework and assessment procedure), and
- Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the processor’s requirements with respect to the personal data
Enforcement and penalties
The TDPSA grants exclusive enforcement and investigative authority to the Attorney General. Before bringing an enforcement action, the Attorney General must give a controller 30 days to cure an identified violation. Unlike other state privacy laws, the TDPSA’s cure period does not sunset.
The Attorney General may seek a civil penalty of up to $7,500 per violation and is authorized to obtain injunctive relief.
The Attorney General shall provide, by July 1, 2024, (1) information outlining consumer rights and the responsibilities of controllers and processors under the TDPSA and (2) an Internet mechanism for submitting consumer complaints.
The TDPSA does not offer a private right of action.
- Applicability and scope – Unlike other state consumer data privacy laws, the TDPSA does not apply to entities based on revenue and data volume thresholds. Rather, it applies to entities that (1) process or sell personal data, (2) conduct business in Texas (or produce a product or service “consumed by” Texas residents), and (3) are not small businesses as defined by the SBA. Importantly, a small business is still required to obtain consent for the sale of sensitive personal data.
- Personal data – The term is defined broadly to include “any information, including pseudonymous data and sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.” It does not include deidentified data or publicly available information.
- Sale of personal data – The term includes the “sharing, disclosing, or transferring of personal data for monetary or other valuable consideration” by the controller to a third party.
- Consent – The term means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Hovering over, muting, pausing, closing a given piece of content, or obtaining agreement through use of dark patterns do not constitute consent. The TDPSA does not specify that consent can be withdrawn.
- DPAs – Controllers must conduct and document a DPA for high-risk processing activities. The DPA must weigh potential risks to consumer rights against direct/indirect benefits, mitigated by safeguards, and must take into account the use of deidentified data, processing context, and reasonable consumer expectations.
- Opt-out requests – Controllers can authenticate opt-out requests.
- Sale disclosures – If applicable, controllers must include the following statements in their privacy notice: “We may sell your sensitive personal data” and/or “We may sell your biometric personal data.”